CVE-2026-53224
Analyzed Analyzed - Analysis Complete

Linux Kernel SCTP Cookie Parsing Memory Corruption

Vulnerability report for CVE-2026-53224, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-02

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: sctp: validate embedded INIT chunk and address list lengths in cookie sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header. A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads. In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads. Fix this by: - requiring the embedded INIT chunk length to be at least sizeof(struct sctp_init_chunk); - validating that the INIT chunk and raw address list together fit within the cookie payload; - verifying sufficient data exists for each address parameter header and payload before parsing it. Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-02
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 2.6.12.1 (inc) to 6.18.36 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation, specifically in the handling of embedded INIT chunks and address list lengths within a cookie.

The function sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but it did not ensure that the INIT chunk was large enough to contain a complete INIT header. This allows a malformed COOKIE_ECHO message to carry a truncated INIT chunk with a length smaller than the expected size.

As a result, later processing in sctp_process_init() accesses INIT parameters without proper validation, which can lead to out-of-bounds reads.

Additionally, the raw_addr_list_len field is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len, causing sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads.

The fix involves requiring the embedded INIT chunk length to be at least the size of a complete INIT chunk, validating that the INIT chunk and raw address list together fit within the cookie payload, and verifying sufficient data exists for each address parameter before parsing.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads in the Linux kernel's SCTP implementation.

An attacker could exploit this by sending malformed COOKIE_ECHO messages with truncated or oversized embedded INIT chunks or address lists, potentially causing the kernel to read memory beyond intended boundaries.

Such out-of-bounds reads may lead to information disclosure, kernel instability, or crashes, depending on how the memory is accessed and handled.

Mitigation Strategies

The vulnerability is fixed by validating the embedded INIT chunk length and the raw address list length within the SCTP cookie payload to prevent out-of-bounds reads.

  • Ensure that the embedded INIT chunk length is at least the size of struct sctp_init_chunk.
  • Validate that the INIT chunk and raw address list together fit within the cookie payload.
  • Verify sufficient data exists for each address parameter header and payload before parsing.

Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled; this will be addressed in a separate patch.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart